Wednesday, March 23, 2016

What is a POS Malware ?

A POS Malware is a malware using which
cybercriminals steal sensitive credit card data of victims and
exploit that for malicious purposes, causing heavy financial loss to
the victims.

POS Malware infects
a POS system and then collects credit card data of a user from the
system, when the card is swiped for making payments.

What is POS ?

POS or Point of Sale is the time and
place where a retail transaction is completed.

Merchants normally use a system to
collect POS data from the customers. The POS System may consist of a
weighing scale, a scanner, electronic and manual cash registers, a
payment terminal etc. When a customer makes a payment, the
POS system registers POS data of the customer after the payments are made.

In POS Malware Attack, the
cyber criminals use a malware to infect the POS System and extract
sensitive credit card data of users from that.

Different methods of getting credit
card data

In earlier days, cybercriminals used to
use additional hardware to steal credit card data of users from the
POS System. They would often install the malicious hardware into the
POS System and read the sensitive data from the cards whenever they
were swiped.

But, cyber criminals gradually found
this attack to be much inconvenient. And thus, they started to infect the POS System with a malware to collect the sensitive data.

How do POS Malware obtain credit
card data ?

A POS Malware typically use several
steps to infect a POS System and collect sensitive data from it. The
steps of a typical POS Malware Attack is mentioned below :

Infiltration of the corporate
network

To install malware in a POS System,
attackers need to access the system first. A POS system is not
normally connected to the internet, but it is connected with the
corporate network. So, the attackers first tries to infiltrate the intended corporate network.

Attackers may use several methods to
gain access to the corporate network. They may use SQL Injection
Attack (To know more : What
is an SQL Injection Attack ?) in a webserver, break into a device
using default manufacturer password or send Phishing emails to an
individual within the organization and perpetrate more attacks
subsequently to infiltrate the intended corporate network.

Gaining Access to the POS Systems

After infiltrating the intended
corporate network, attackers try to gain access to the intended POS
Systems.

The simplest method they can take for
that purpose may be to use Keylogging Trojans (To know more :
Keyloggers),
extract password hash from the server or to apply brute-force methods
to obtain login credenrials of the systems.

Stealing Data

Normally, when sensitive credit card
data travels from one system to another, they are encrypted. But, the
data is not encrypted as long as they are not transferred or stored.

Attackers typically use a RAM-scraping
malware to obtain data from RAM, whenever a credit card is swiped and
the data is kept in RAM temporarily.

Maintaining Stealth

As the attackers mostly manage to get
administrative credentials of the systems, they often scrub logs,
disable monitoring software and systems or modify configuration of
the security software to avoid detection.

Exfiltration

After collecting the sensitive data,
the attackers connect to a staging server to transmit the data to the
attackers later.

The attackers normally compromise an
internal system which frequently connects with the POS Systems and
use that internal system as a staging server. And then, at suitable
time the data is transferred to the attackers, often by exploiting a
number of internal systems.

Prevention

Use of EMV or “chip and pin”
technology can reduce POS Malware attacks to a large extent.

EMV cards contain embedded
microprocessors that provide strong transaction security. EMV cards never transmit credit card data in the clear, and that make them
considerably less attractive to the cyber criminals. These cards are
much difficult for the attackers to clone.